What to do with 6.7GB of logs from a http proxy used by someone to initiate attacks?

5

Background:

I had experimented with nginx's proxy caching mechanisms one night to see if I could speed up a very slow website for a friend of mine -- this experiment went on late into the night, at what point I concluded it wasn't a viable option for what he wanted to do.

I forgot to disable the nginx proxy config and sometime later it was picked up by someone that they could use it to proxy all their requests via my server, without my noticing. It ran for about 3 months like this before I noticed and put an end to it.

So now I have a 6.7GB apache style log file, with >20 million entries that show over 180GB of traffic used for illicit purposes, showing the date, source IP and destination request.

What can I do with this that could be of benefit to the general internet community? Or is it useless?

Is it safe to publish it, or could that get me in trouble legally somehow? Are there any spam research centres who might benefit from it?

Edit: Just to clarify, the log is entirely that of the proxy'd requests.

Tim Kersten

Posted 2011-10-06T18:30:10.533

Reputation: 153

Answers

7

Generally speaking, nobody cares about this. It's not like any law enforcement agency will sift through this data in hopes of finding anything. So sending it anywhere is absolutely pointless from this standpoint, except for the warm feeling that you "did a right thing". However:

  1. Don't delete this data. In case some crime activity that went through your proxy gets investigated, this is your only evidence it wasn't you. So burn it into 2 DVDs and keep it safe.

  2. You may want to (formally) report this to law enforcement if your local laws require it. I am not a lawyer and I don't know where you live. Just don't expect any real investigation.

  3. Don't post this data anywhere since you don't really know what is inside. You may be held liable if you publish some innocent third party's private data.

haimg

Posted 2011-10-06T18:30:10.533

Reputation: 19 503

Good points there. I'm tempted to see if I can categorize some of the types attacks and graph these. I think that would be a way of release it to the curious without actually disclosing any private data... – Tim Kersten – 2011-10-06T20:40:19.737

2You cannot "unsee" what you have seen. I wouldn't touch this data, not even look at it, or process it, or copy it... Having links to, for example, child porn, sprinkled on your hard disk is a bad thing if police turns up with a search order one day. You'll have hard time explaining what you were doing exactly. – haimg – 2011-10-06T21:05:25.647

Hmm, fair point. I'll keep that in mind as I think about it. Thanks – Tim Kersten – 2011-10-06T21:23:14.597

6

Definitely keep a backup of the logs "AS-IS". If the perpetrator visited child porn or other illegal sites, law enforcement may knock on your door with a warrant for your arrest and possession of all your computers.

DO NOT post the logs anywhere. Lawyers will tell their clients to say nothing to law enforcement when questioned without legal counsel (even if the client feels they have nothing to hide and are being honest) because clients do not know the legal system and laws well enough to keep from providing law enforcement some motive, evidence or probable cause that may be used against them. Seek legal counsel before posting any log data.

See the Tor Legal FAQ for some helpful legal Q&A, especially the Exit Relays section. Also, the EFF Know Your Rights is worth the read.

Dan Cruz

Posted 2011-10-06T18:30:10.533

Reputation: 1 095

I like this. +1 – Xavierjazz – 2011-10-08T15:34:06.987

3

http://www.justice.gov/criminal/cybercrime/reporting.htm

You could report it here, and spend 45 minutes filling out a report/complaint, or you can call on the phone, and get a human, and they can tell you what to do with it.

Because it takes 2 years for the goverment to do anything, if they ever thought you were part of it, you could be holding that for a long time. file a report, save the report, bag it and tag it :-)

Psycogeek

Posted 2011-10-06T18:30:10.533

Reputation: 8 067

1

Unless I was sure that they were used it to, as you say, "initiate attacks",I would ignore it. You have disabled it.

Xavierjazz

Posted 2011-10-06T18:30:10.533

Reputation: 7 993

Yeah, figure, was thinking of doing that. I will hang onto it though, in case I get blamed for any attacks, this is my proof that it wasn't me. – Tim Kersten – 2011-10-06T18:34:54.567

1If you're concerned, keep it on an 8GB flash drive in a safe place – Canadian Luke – 2011-10-06T18:37:58.540

1The proxy was used to initiate attacks. I can that see the brute-force password attacks in the logs. – Tim Kersten – 2011-10-06T19:02:41.283

Well, if you are sure it was used in that manner, it seems to me that it is a matter for the police. It is not only illegal, but is causing distress and damage. – Xavierjazz – 2011-10-06T19:05:05.680

I searched and found this: http://www.google.ca/search?q=report+illegal+internet+activity&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

– Xavierjazz – 2011-10-06T19:06:05.333

Asked: 2011-10-06T18:30:10.533

Viewed: 325 times

Active: 2011-10-07T11:11:34.183